At 11:33 PM 8/24/2004 -0400, Meng Weng Wong wrote:
On Wed, Aug 25, 2004 at 07:24:58AM +0800, AccuSpam wrote:
|
| Do you see AOL or Earthlink, which both have SPF records, actively
preparing their users for SMTP authentication?
|
| Have you done any estimates on how much $$$$ it might cost Earthlink to
upgrade it's *millions* users?
|
In the typical configuration, only those folks who are
connecting from "off campus" need to configure SMTP AUTH;
the people who are sending mail from the provider's network
don't need to do it.
Agreed.:
http://archives.listbox.com/senderkeys-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0004.html
That is why I think you need a "probability" option for "all" during
transistion (which may take years). Else something else might supercede SPF.
Also I raised the issue (in reply to Roger Moser) that virus MUA on user
computer could defeat the connected "ON campus" case, if SMTP AUTH not "enabled
at millions of user computers"
I hear large providers are moving toward SMTP AUTH: for
example, Bellsouth
http://www.dslreports.com/forum/remark,10485779 and I have
heard Interland is doing it too.
Again I hope so. But "enabled" at the server is not the same cost/benefit
analysis as "enabled at millions of client computers".
Some people are interested in a very restrictive SMTP AUTH
as a way to enable + versus ? for shared outbound servers.
As long as they do not use "exists" to specify specific users.
Using "exists" to specify users will tell a spammer which addresses to spam and
forge (because not every recipient will be SPF protected for years). This
presents a "chicken and egg" or "catch 22" problem for adoption.
Most people are interested in being able to do SMTP AUTH at
all so they can connect back to their ISP's MTAs even when
they're roaming at a place that blocks or hijacks port 25.
I just send over that ISPs relay when they port 25. Most ISPs do not enforce
"From:", nor would their customer base allow them to.